Provide contextual help on auth provider configuration

Summary:
Ref T1536.

  - Move all the provider-specific help into contextual help in Auth.
  - This provides help much more contextually, and we can just tell the user the right values to use to configure things.
  - Rewrite account/registration help to reflect the newer state of the word.
  - Also clean up a few other loose ends.

Test Plan: {F46937}

Reviewers: chad, btrahan

Reviewed By: chad

CC: aran

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6247

Author: epriestley

conf/default.conf.php

@@ -553,11 +553,6 @@
 
 // -- Auth ------------------------------------------------------------------ //
 
-  // Can users login with a username/password, or by following the link from
-  // a password reset email? You can disable this and configure one or more
-  // OAuth providers instead.
-  'auth.password-auth-enabled'  => true,
-
   // Maximum number of simultaneous web sessions each user is permitted to have.
   // Setting this to "1" will prevent a user from logging in on more than one
   // browser at the same time.
@@ -1032,10 +1027,6 @@
   'aphront.default-application-configuration-class' =>
     'AphrontDefaultApplicationConfiguration',
 
-  'controller.oauth-registration' =>
-    'PhabricatorOAuthDefaultRegistrationController',
-
-
   // Directory that phd (the Phabricator daemon control script) should use to
   // track running daemons.
   'phd.pid-directory' => '/var/tmp/phd/pid',

src/applications/auth/application/PhabricatorApplicationAuth.php

@@ -14,6 +14,18 @@ public function getIconName() {
     return 'authentication';
   }
 
+  public function getHelpURI() {
+    // NOTE: Although reasonable help exists for this in "Configuring Accounts
+    // and Registration", specifying a help URI here means we get the menu
+    // item in all the login/link interfaces, which is confusing and not
+    // helpful.
+
+    // TODO: Special case this, or split the auth and auth administration
+    // applications?
+
+    return null;
+  }
+
   public function buildMainMenuItems(
     PhabricatorUser $user,
     PhabricatorController $controller = null) {

src/applications/auth/controller/PhabricatorEmailLoginController.php

@@ -10,7 +10,7 @@ public function shouldRequireLogin() {
   public function processRequest() {
     $request = $this->getRequest();
 
-    if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
+    if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
       return new Aphront400Response();
     }
 

src/applications/auth/controller/PhabricatorEmailTokenController.php

@@ -74,7 +74,7 @@ public function processRequest() {
     unset($unguarded);
 
     $next = '/';
-    if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
+    if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
       $next = '/settings/panel/external/';
     } else if (PhabricatorEnv::getEnvConfig('account.editable')) {
       $next = (string)id(new PhutilURI('/settings/panel/password/'))

src/applications/auth/controller/config/PhabricatorAuthEditController.php

@@ -224,6 +224,12 @@ public function processRequest() {
           ->addCancelButton($cancel_uri)
           ->setValue($button));
 
+    $help = $provider->getConfigurationHelp();
+    if ($help) {
+      $form->appendChild(id(new PHUIFormDividerControl()));
+      $form->appendRemarkupInstructions($help);
+    }
+
     $crumbs = $this->buildApplicationCrumbs();
     $crumbs->addCrumb(
       id(new PhabricatorCrumbView())

src/applications/auth/provider/PhabricatorAuthProvider.php

@@ -21,6 +21,10 @@ public function getProviderConfig() {
     return $this->providerConfig;
   }
 
+  public function getConfigurationHelp() {
+    return null;
+  }
+
   public function getDefaultProviderConfig() {
     return id(new PhabricatorAuthProviderConfig())
       ->setProviderClass(get_class($this))

src/applications/auth/provider/PhabricatorAuthProviderOAuthDisqus.php

@@ -7,6 +7,24 @@ public function getProviderName() {
     return pht('Disqus');
   }
 
+  public function getConfigurationHelp() {
+    $login_uri = $this->getLoginURI();
+
+    return pht(
+      "To configure Disqus OAuth, create a new application here:".
+      "\n\n".
+      "http://disqus.com/api/applications/".
+      "\n\n".
+      "Create an application, then adjust these settings:".
+      "\n\n".
+      "  - **Callback URL:** Set this to `%s`".
+      "\n\n".
+      "After creating an application, copy the **Public Key** and ".
+      "**Secret Key** to the fields above (the **Public Key** goes in ".
+      "**OAuth App ID**).",
+      $login_uri);
+  }
+
   protected function newOAuthAdapter() {
     return new PhutilAuthAdapterOAuthDisqus();
   }

src/applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php

@@ -9,6 +9,25 @@ public function getProviderName() {
     return pht('Facebook');
   }
 
+  public function getConfigurationHelp() {
+    $uri = new PhutilURI(PhabricatorEnv::getProductionURI('/'));
+    return pht(
+      'To configure Facebook OAuth, create a new Facebook Application here:'.
+      "\n\n".
+      'https://developers.facebook.com/apps'.
+      "\n\n".
+      'You should use these settings in your application:'.
+      "\n\n".
+      "  - **Site URL**: Set this to your full domain with protocol. For ".
+      "    this Phabricator install, the correct value is: `%s`\n".
+      "  - **Site Domain**: Set this to the full domain without a protocol. ".
+      "    For this Phabricator install, the correct value is: `%s`\n\n".
+      "After creating your new application, copy the **App ID** and ".
+      "**App Secret** to the fields above.",
+      (string)$uri,
+      $uri->getDomain());
+  }
+
   public function getDefaultProviderConfig() {
     return parent::getDefaultProviderConfig()
       ->setProperty(self::KEY_REQUIRE_SECURE, 1);

src/applications/auth/provider/PhabricatorAuthProviderOAuthGitHub.php

@@ -7,6 +7,27 @@ public function getProviderName() {
     return pht('GitHub');
   }
 
+  public function getConfigurationHelp() {
+    $uri = PhabricatorEnv::getProductionURI('/');
+    $callback_uri = $this->getLoginURI();
+
+    return pht(
+      "To configure GitHub OAuth, create a new GitHub Application here:".
+      "\n\n".
+      "https://github.com/settings/applications/new".
+      "\n\n".
+      "You should use these settings in your application:".
+      "\n\n".
+      "  - **URL:** Set this to your full domain with protocol. For this ".
+      "    Phabricator install, the correct value is: `%s`\n".
+      "  - **Callback URL**: Set this to: `%s`\n".
+      "\n\n".
+      "Once you've created an application, copy the **Client ID** and ".
+      "**Client Secret** into the fields above.",
+      $uri,
+      $callback_uri);
+  }
+
   protected function newOAuthAdapter() {
     return new PhutilAuthAdapterOAuthGitHub();
   }

src/applications/auth/provider/PhabricatorAuthProviderOAuthGoogle.php

@@ -7,6 +7,27 @@ public function getProviderName() {
     return pht('Google');
   }
 
+  public function getConfigurationHelp() {
+    $login_uri = $this->getLoginURI();
+
+    return pht(
+      "To configure Google OAuth, create a new 'API Project' here:".
+      "\n\n".
+      "https://code.google.com/apis/console/".
+      "\n\n".
+      "You don't need to enable any Services, just go to **API Access**, ".
+      "click **Create an OAuth 2.0 client ID...**, and configure these ".
+      "settings:".
+      "\n\n".
+      "  - During initial setup click **More Options** (or after creating ".
+      "    the client ID, click **Edit Settings...**), then add this to ".
+      "    **Authorized Redirect URIs**: `%s`\n".
+      "\n\n".
+      "After completing configuration, copy the **Client ID** and ".
+      "**Client Secret** to the fields above.",
+      $login_uri);
+  }
+
   protected function newOAuthAdapter() {
     return new PhutilAuthAdapterOAuthGoogle();
   }

src/applications/auth/provider/PhabricatorAuthProviderPassword.php

@@ -9,6 +9,12 @@ public function getProviderName() {
     return pht('Username/Password');
   }
 
+  public function getConfigurationHelp() {
+    return pht(
+      'You can select a minimum password length by setting '.
+      '`account.minimum-password-length` in configuration.');
+  }
+
   public function getDescriptionForCreate() {
     return pht(
       'Allow users to login or register using a username and password.');
@@ -227,4 +233,16 @@ public function willRegisterAccount(PhabricatorExternalAccount $account) {
     $account->setAccountID($account->getUserPHID());
   }
 
+  public static function getPasswordProvider() {
+    $providers = self::getAllEnabledProviders();
+
+    foreach ($providers as $provider) {
+      if ($provider instanceof PhabricatorAuthProviderPassword) {
+        return $provider;
+      }
+    }
+
+    return null;
+  }
+
 }

src/applications/base/controller/PhabricatorController.php

@@ -101,7 +101,7 @@ final public function willBeginExecution() {
 
     if ($this->shouldRequireLogin() && !$user->getPHID()) {
       $login_controller = new PhabricatorAuthStartController($request);
-      $login_controller->setCurrentApplication(
+      $this->setCurrentApplication(
         PhabricatorApplication::getByClass('PhabricatorApplicationAuth'));
       return $this->delegateToController($login_controller);
     }

src/applications/config/option/PhabricatorAuthenticationConfigOptions.php

@@ -13,19 +13,6 @@ public function getDescription() {
 
   public function getOptions() {
     return array(
-      $this->newOption(
-        'auth.password-auth-enabled', 'bool', true)
-        ->setBoolOptions(
-          array(
-            pht("Allow password authentication"),
-            pht("Don't allow password authentication")
-          ))
-        ->setSummary(pht("Enables password-based authentication."))
-        ->setDescription(
-          pht(
-            "Can users login with a username/password, or by following the ".
-            "link from a password reset email? You can disable this and ".
-            "configure one or more OAuth providers instead.")),
       $this->newOption('auth.sessions.web', 'int', 5)
         ->setSummary(
           pht("Number of web sessions a user can have simultaneously."))

src/applications/config/option/PhabricatorExtendingPhabricatorConfigOptions.php

@@ -47,12 +47,6 @@ public function getOptions() {
         ->setBaseClass('AphrontApplicationConfiguration')
         // TODO: This could probably use some better documentation.
         ->setDescription(pht("Application configuration class.")),
-       $this->newOption(
-         'controller.oauth-registration',
-         'class',
-         'PhabricatorOAuthDefaultRegistrationController')
-        ->setBaseClass('PhabricatorOAuthRegistrationController')
-        ->setDescription(pht("OAuth registration controller.")),
     );
   }
 

src/applications/people/storage/PhabricatorUser.php

@@ -612,7 +612,7 @@ public function sendUsernameChangeEmail(
     $new_username = $this->getUserName();
 
     $password_instructions = null;
-    if (PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
+    if (PhabricatorAuthProviderPassword::getPasswordProvider()) {
       $uri = $this->getEmailLoginURI();
       $password_instructions = <<<EOTXT
 If you use a password to login, you'll need to reset it before you can login

src/applications/settings/panel/PhabricatorSettingsPanelPassword.php

@@ -25,7 +25,7 @@ public function isEnabled() {
 
     // ...or this install doesn't support password authentication at all.
 
-    if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
+    if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
       return false;
     }
 

src/docs/configuration/configuration_guide.diviner

@@ -150,8 +150,11 @@ Now, navigate to whichever subdomain you set up. You should see instructions to
 continue setup. The rest of this document contains additional instructions for
 specific setup steps.
 
-When you see the login screen, continue with @{article:Configuring Accounts and
-Registration}.
+When you resolve any issues and see the welcome screen, enter credentials to
+create your initial administrator account. After you log in, you'll want to
+configure how other users will be able to log in or register -- until you do,
+no one else will be able to sign up or log in. For more information, see
+@{article:Configuring Accounts and Registration}.
 
 = Storage: Configuring MySQL =